kbs/token: add token expiration time checking

Every JWT should have an `exp` field in the claims body, which defines the expired time of itself. This check avoids a token to be used endlessly. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Nov 6, 2024 · c62d109 · c62d109
1 parent 85b7ab8
commit c62d109
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs
@@ -21,6 +21,7 @@ use std::fs::File;
 use std::io::BufReader;
 use std::result::Result::Ok;
 use std::str::FromStr;
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use thiserror::Error;
 use tokio::fs;
 
@@ -213,6 +214,16 @@ impl JwkAttestationTokenVerifier {
         let token_data = decode::<Value>(&token, &dkey, &Validation::new(alg))
             .context("Failed to decode attestation token")?;
 
+        let Some(exp) = token_data.claims.get("exp") else {
+            bail!("Failed to find `exp` in token claims");
+        };
+
+        let exp = exp.as_i64().ok_or(anyhow!("`exp` is not an integer"))?;
+
+        if SystemTime::now().duration_since(UNIX_EPOCH)? > Duration::from_secs(exp as u64) {
+            bail!("Token expired");
+        }
+
         Ok(token_data.claims)
     }
 }